Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
Kind regards, Dan
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
Does 'man samba_selinux' still cover the issue adequately? Or does it need to be updated?
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
Bob
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
Bob
Thanks for the response! Yes, I did that for [home] but the problem is what to do with: /var/www
There are many different contexts for this directory and all the files under it and I was not sure how to make this directory a samba share without blowing away the original context in fear of breaking it all to bits.
I want to keep all the original context AND add samba share context OR the public_share_rw_t as Stephen Smalley recommended but I was not sure how to do that. This is the question I asked of Mr Smalley and I am waiting to hear of his response.
Kind regards, Dan
On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote:
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
Bob
Thanks for the response! Yes, I did that for [home] but the problem is what to do with: /var/www
There are many different contexts for this directory and all the files under it and I was not sure how to make this directory a samba share without blowing away the original context in fear of breaking it all to bits.
I want to keep all the original context AND add samba share context OR the public_share_rw_t as Stephen Smalley recommended but I was not sure how to do that. This is the question I asked of Mr Smalley and I am waiting to hear of his response.
Well if you have things setup properly then you should be able to read/write to your /var/www dir just fine as-is without any extra changes. I can access my /var/www content just fine via samba without any extra tweaking of selinux.
I basically access my /var/www dir through my home dir. Just create a symlink from your home dir to /var/www and make sure that you own the dirs and have the right permissions to rw to it.
Bob
On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote:
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
Bob
Thanks for the response! Yes, I did that for [home] but the problem is what to do with: /var/www
There are many different contexts for this directory and all the files under it and I was not sure how to make this directory a samba share without blowing away the original context in fear of breaking it all to bits.
I want to keep all the original context AND add samba share context OR the public_share_rw_t as Stephen Smalley recommended but I was not sure how to do that. This is the question I asked of Mr Smalley and I am waiting to hear of his response.
You can't have multiple contexts for a file, so it's not possible AFAIK to have both the original context *and* public_content_rw_t.
If your web server is only serving static data (nothing that requires write access to /var/www for the web server itself), you could relabel /var/www/* as public_content_t. If you have internal scripting like PHP that needs write access, you could use public_content_rw_t.
However, if you're using cgi scripts that currently need httpd_script_exec_t, you'd need to generate a local policy module that allowed samba to read/write the httpd_* types.
Paul.
On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote:
You can't have multiple contexts for a file, so it's not possible AFAIK to have both the original context *and* public_content_rw_t.
Correct. See the "Multiple contexts" thread on the selinux list from Jan 10 2005 for a discussion of why multiple contexts per file is a bad idea. In short, it makes information flow analysis impossible without considering the entire filesystem state.
If your web server is only serving static data (nothing that requires write access to /var/www for the web server itself), you could relabel /var/www/* as public_content_t. If you have internal scripting like PHP that needs write access, you could use public_content_rw_t.
However, if you're using cgi scripts that currently need httpd_script_exec_t, you'd need to generate a local policy module that allowed samba to read/write the httpd_* types.
Yes, local policy module seems like the sanest choice. If this is a common situation, I suppose it could be incorporated into the upstream policy under a boolean.
On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote:
On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote:
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
Bob
Thanks for the response! Yes, I did that for [home] but the problem is what to do with: /var/www
There are many different contexts for this directory and all the files under it and I was not sure how to make this directory a samba share without blowing away the original context in fear of breaking it all to bits.
I want to keep all the original context AND add samba share context OR the public_share_rw_t as Stephen Smalley recommended but I was not sure how to do that. This is the question I asked of Mr Smalley and I am waiting to hear of his response.
You can't have multiple contexts for a file, so it's not possible AFAIK to have both the original context *and* public_content_rw_t.
If your web server is only serving static data (nothing that requires write access to /var/www for the web server itself), you could relabel /var/www/* as public_content_t. If you have internal scripting like PHP that needs write access, you could use public_content_rw_t.
However, if you're using cgi scripts that currently need httpd_script_exec_t, you'd need to generate a local policy module that allowed samba to read/write the httpd_* types.
Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ugh... I am too stupid to figure this out.
Can someone give me some examples, step-by-step how I can do it?
Steps perform IN ORDER listed: 1) relabel /var/www a) chcon -R -t public_content_t /var/www b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical PHP area) 2) Local policy rules a) ???? I have no clue how to do this step!
Thanks! Dan
On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote:
Ugh... I am too stupid to figure this out.
Can someone give me some examples, step-by-step how I can do it?
Steps perform IN ORDER listed:
- relabel /var/www a) chcon -R -t public_content_t /var/www b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical
PHP area) 2) Local policy rules a) ???? I have no clue how to do this step!
If taking option (2), you don't need to relabel /var/www at all - leave it with the httpd* types. Instead, you just allow the domain in which samba runs to access the httpd content types. Try the following sequence: $ mkdir foo $ cd foo $ vi local.te <insert text below> policy_module(local, 1.0)
require { attribute httpdcontent; type smbd_t; }
allow smbd_t httpdcontent:dir create_dir_perms; allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
:wq $ touch local.if local.fc $ make -f /usr/share/selinux/devel/Makefile Compliling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod Creating targeted local.pp policy package rm tmp/local.mod.fc tmp/local.mod
$ su Password: # semodule -i local.pp
Then re-try accessing the /var/www content from samba, and if it still doesn't work, check your /var/log/messages files for avc: denied messages.
Notes to others on cc list: 1) Should this already be supported under a boolean in the base policy? 2) If not (or even if so), do we need more general interfaces from apache to allow other domains to manage all httpd content types? 3) Did I really need to create empty .if and .fc files, or was there some way to suppress the need for them when I did the make? 4) Compliling isn't a word ;)
On Thu, 2006-04-06 at 14:04 -0400, Stephen Smalley wrote:
On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote:
[cut]
allow smbd_t httpdcontent:dir create_dir_perms; allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
[cut]
Notes to others on cc list:
- Should this already be supported under a boolean in the base policy?
Doesn't seem unreasonable to add.
- If not (or even if so), do we need more general interfaces from
apache to allow other domains to manage all httpd content types?
It would be required for the support to be added to refpolicy.
- Did I really need to create empty .if and .fc files, or was there
some way to suppress the need for them when I did the make?
I don't know of a way that doesn't need more infrastructure. I'll add a target for fc and if files which will touch them if they're missing, which will have the same effect.
On Thu, 2006-04-06 at 14:04 -0400, Stephen Smalley wrote:
On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote:
Ugh... I am too stupid to figure this out.
Can someone give me some examples, step-by-step how I can do it?
Steps perform IN ORDER listed:
- relabel /var/www a) chcon -R -t public_content_t /var/www b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical
PHP area) 2) Local policy rules a) ???? I have no clue how to do this step!
If taking option (2), you don't need to relabel /var/www at all - leave it with the httpd* types. Instead, you just allow the domain in which samba runs to access the httpd content types. Try the following sequence: $ mkdir foo $ cd foo $ vi local.te
<insert text below> policy_module(local, 1.0)
require { attribute httpdcontent; type smbd_t; }
allow smbd_t httpdcontent:dir create_dir_perms; allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
:wq $ touch local.if local.fc $ make -f /usr/share/selinux/devel/Makefile Compliling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod Creating targeted local.pp policy package rm tmp/local.mod.fc tmp/local.mod
$ su Password: # semodule -i local.pp
Then re-try accessing the /var/www content from samba, and if it still doesn't work, check your /var/log/messages files for avc: denied messages.
Notes to others on cc list:
- Should this already be supported under a boolean in the base policy?
- If not (or even if so), do we need more general interfaces from
apache to allow other domains to manage all httpd content types? 3) Did I really need to create empty .if and .fc files, or was there some way to suppress the need for them when I did the make? 4) Compliling isn't a word ;)
Uh oh... tried to follow your 2) example, and here is the results...
[root@copper ~]# mkdir foo [root@copper ~]# cd foo [root@copper foo]# ls [root@copper foo]# vi local.te [root@copper foo]# touch local.if local.fc [root@copper foo]# make -f /usr/share/selinux/devel/Makefile Compliling targeted local module make: /usr/bin/checkmodule: Command not found make: *** [tmp/local.mod] Error 127 [root@copper foo]#
Kind regards, Dan
On 4/6/06 4:18 PM, "Dan Thurman" dant@cdkkt.com wrote:
Uh oh... tried to follow your 2) example, and here is the results...
[root@copper ~]# mkdir foo [root@copper ~]# cd foo [root@copper foo]# ls [root@copper foo]# vi local.te [root@copper foo]# touch local.if local.fc [root@copper foo]# make -f /usr/share/selinux/devel/Makefile Compliling targeted local module make: /usr/bin/checkmodule: Command not found make: *** [tmp/local.mod] Error 127 [root@copper foo]#
You need to install the checkpolicy rpm, which includes checkmodule. So, just yum install it and that should solve this problem.
Chad
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
Forgot to mention that you need to restart samba for things to work.
/sbin/service smb restart
Bob
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
The second of these is turning off SELinux protection for the samba server. It really shouldn't be necessary to do that if you're just trying to share home directories (/home/*) using samba.
Paul.
On Thu, 2006-04-06 at 07:42 +0100, Paul Howarth wrote:
On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
Folks,
What is the procedure for creating Samba shares and getting around the SELinux issues?
Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories.
Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working.
In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!).
/usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1
That's what I had to do to get samba working with home shares on FC5.
The second of these is turning off SELinux protection for the samba server. It really shouldn't be necessary to do that if you're just trying to share home directories (/home/*) using samba.
For some odd reason I needed to add the second one to get things working the first time around. I just tried it again without the second one and everything works fine. I guess I did something wrong the first time.
Thanks, for clarifying. :)
Bob
selinux@lists.fedoraproject.org
-
Bob Kashani -
Chad Sellers -
Christopher J. PeBenito -
Dan Thurman -
Paul Howarth -
Stephen Smalley